This tip concludes a series of articles on Windows security strategies.
TABLE OF CONTENTS
Windows password security: Systems tools and policy
Securing Windows services to prevent hacker attacks
How to prevent SQL Server and Internet Explorer hack attacks
How to detect and remove rootkits with Windows encryption
Windows security: Remote Desktop, hosts file and keyboard lock down
Reporting on the information security business for close to two decades now has meant that over those years I have collected quite a few tricks and tips for securing Windows. Some of them have been shared already in the earlier segments of this short series. However, I find myself with one part left and a bunch of assorted secrets left over. Bringing the two together seems like a good idea!
Windows 2000 tips and tricks
Let's start with a good one for those of you still working with a Windows 2000 operating system, and there are plenty of people who still fall into that particular genre. Some may be surprised to know that a relatively simple nslookup can reveal plenty of hacker-friendly information. This is courtesy of W2K defaulting to allow DNS zone transfers to any server.
Thankfully, this distinctly dodgy default behaviour was stopped in Windows Server 2003 and later, but if upgrading is not an option, then the solution is as simple as it is obvious with hindsight. Configure it to restrict zone transfers to defined hosts or simply to none at all.
Windows Remote Desktop security
Secure the Remote Desktop for Windows XP and Windows Server 2003 by changing the port it runs on from the 3389 default to something less obvious, so as to hide it from port scanning kiddie scripters. This means rolling your sleeves up and getting into the Windows Registry to do this, specifically editing the following key:
Don't forget to bring a decimal to hex calculator to convert the port number to hex before updating the entry, though. Once saved, connect using Remote Desktop by adding ':
Windows hosts file
Often overlooked, the Windows hosts file can be used to securely manage IP addressing in any flavour of Windows. Layered security always wins out because a single-pronged defence is useless if that single prong gets poked to pieces.
The Windows hosts file should be thought of in terms of being a Windows IP address book. A Web browser will look in this file for any corresponding entry that matches the requested URL, and if it finds nothing, goes online to resolve the address using DNS. If it does find an entry, it goes where directed. To prevent non-admin types from visiting a specific site, have it resolve to 127.0.0.1, and they will go nowhere fast.
Windows lock down
When the need arises to leave one's desktop in a hurry, quickly lock any Windows XP or Vista-powered computer using the Windows key + L combo to go straight to a secure user login prompt.
Wrapping up Windows security tips
And that wraps up our Windows security strategy series, which we hope you have found useful. If you have any Windows security tips and tricks of your own, why not share them with us? Send us an email at firstname.lastname@example.org.
About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.
This was first published in October 2008